The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Computing devices that access resources over a network are commonly subjected to an authentication process. The authentication process determines whether a device requesting access to the network, or to a particular resource, actually is the device that it purports to be. If the device is authenticated, then depending on its identity, role, and other policy data, the device may be permitted to access the network, or selected resources within the network.
Wireless local area networks such as those that use an 802.1x protocol for wireless communications now commonly use some form of user authentication protocol. For example, Extensible Authentication Protocol (EAP), as defined in IETF RFC 2284, may be used. In EAP over LAN authentication, a wireless client device, such as a laptop computer, that is seeking to obtain network access is termed a supplicant. An AAA server provides user authentication services to an access device or authenticator, typically a router, which intercepts requests of the supplicant; the access device has the role of a client with respect to the AAA server.
Providing authentication services with an AAA server, or the like, allows centralization of policy decisions. Moreover, having a centralized AAA server avoids attacks from access points. However, performing authentication involves communicating numerous messages between the supplicant and the AAA server. If the supplicant requires re-authentication, the same process with multiple round-trip messages is used. This is time-consuming and computationally expensive. As a result, this approach is undesirable for mobile devices that frequently cross boundaries of wireless networks.
This approach is particularly unworkable because re-authentication can be triggered by numerous events. For example, re-authentication is typically required whenever the supplicant device is powered up or rebooted, when a user logs off the supplicant device, when the supplicant device is moved to a new access point, or when the supplicant device moves in and out of range of an access point. In addition, partial or unintended authentication may take place if the supplicant device is temporarily or transiently brought in or out of range of an access point.
Based on the foregoing, there is a clear need for an improved method for re-authenticating devices in networks. There is a specific need for an improved method for efficiently re-authenticating devices that use wireless networks. There is also a need for an approach for efficiently re-authenticating supplicant devices that use wireless networks that eliminates performing unnecessary round-trip messages whenever re-authentication is needed. There is also a need for an approach that can reduce processing and network load on the authentication infrastructure.